2-2 Securing WebLogic Web Services for Oracle WebLogic Server ■ Section 2.24, Securing Web Services Atomic Transactions ■ Section 2.25, Proprietary Web Services Security Policy Files JAX-RPC Only

2.1 Overview of Message-Level Security

Message-level security specifies whether the SOAP messages between a client application and the Web service invoked by the client should be digitally signed or encrypted, or both. It also can specify a shared security context between the Web service and client in the event that they exchange multiple SOAP messages. You can use message-level security to assure: ■ Confidentiality, by encrypting message parts ■ Integrity, by digital signatures ■ Authentication, by requiring username, X.509, or SAML tokens See Section 2.4, Configuring Simple Message-Level Security for the basic steps you must perform to configure simple message-level security. This section discusses configuration of the Web services runtime environment, as well as configuration of message-level security for a particular Web service and how to code a client application to invoke the service. You can also configure message-level security for a Web service at runtime, after a Web service has been deployed. See Section 2.10, Associating Policy Files at Runtime Using the Administration Console for details.

2.1.1 Web Services Security Supported Standards

WebLogic Web services implement the following OASIS Standard 1.1 Web Services Security WS-Security 1.1 http:www.oasis-open.orgcommitteestc_ home.php?wg_abbrev=wss specifications, dated February 1, 2006: ■ WS-Security 1.0 and 1.1 ■ Username Token Profile 1.0 and 1.1 ■ X.509 Token Profile 1.0 and 1.1 ■ SAML Token Profile 1.0 and 1.1 These specifications provide security token propagation, message integrity, and message confidentiality. These mechanisms can be used independently such as passing a username token for user authentication or together such as digitally signing and encrypting a SOAP message and specifying that a user must use X.509 certificates for authentication.

2.1.1.1 Web Services Trust and Secure Conversation

WebLogic Web services implement the Web Services Trust WS-Trust 1.3 and Web Services Secure Conversation WS-SecureConversation 1.3 specifications, which Note: You cannot digitally sign or encrypt a SOAP attachment. Note: Standards Supported by WebLogic Web Services is the definitive source of Web service standards supported in this release. Configuring Message-Level Security 2-3 together provide secure communication between Web services and their clients either other Web services or standalone Java client applications. The WS-Trust specification defines extensions that provide a framework for requesting and issuing security tokens, and to broker trust relationships. The WS-SecureConversation specification defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable the exchange of multiple messages. Together, the security context and derived keys potentially increase the overall performance and security of the subsequent exchanges.

2.1.1.2 Web Services SecurityPolicy 1.2

The WS-Policy specification defines a framework for allowing Web services to express their constraints and requirements. Such constraints and requirements are expressed as policy assertions. WS-SecurityPolicy defines a set of security policy assertions for use with the WS-Policy framework to describe how messages are to be secured in the context of WSS: SOAP Message Security, WS-Trust and WS-SecureConversation. You configure message-level security for a Web service by attaching one or more policy files that contain security policy statements, as specified by the WS-SecurityPolicy specification. See Section 2.3, Using Policy Files for Message-Level Security Configuration for detailed information about how the Web services runtime environment uses security policy files. For information about the elements of the Web Services SecurityPolicy 1.2 that are not supported in this release of WebLogic Server, see Section 2.18, Unsupported WS-SecurityPolicy 1.2 Assertions .

2.2 Main Use Cases of Message-Level Security